Auditing IT Vulnerabilities IT vulnerabilities are weaknesses or exposures in IT assets or processes that may lead to a business risk or security risk. Networks exposed to attackers, Viruses, Worms Inadequate password management, Weak cryptography Inappropriate access to files, Misconfigured applications Vulnerability management is the processes and technologies that an organization employs to identify, assess, and remediate vulnerabilities.
Regulations Sarbanes-Oxley Act of 2002 U.S. Federal Financial Institution Examination Council Canadian and Japanese versions of SOX
Vulnerability Management Lifecycle
Assess Risk and Prioritize Identify and Validate Scope Systems Detect Vulnerabilities Validate Findings Assess Risks Prioritize Vulnerabilities
Continually Improve Remediation Mitigate Critical Vulnerabilities Create a Vulnerability Mitigation Process Stop the Spread Set Expectations With an Operational Level Agreement (OLA) Achieve Efficiency Through Automation Use Past Experience to Guide Future Actions
How To Identify High and Low Performers High Performers have effective vulnerability management processes have efficient processes that detect vulnerabilities almost in real time promote secure configurations Low Performers Have inefficient vulnerability detection and management processes Do not detect vulnerabilities Do not keep track of their IT assets
Metrics MetricDescription Percent of total systems monitored or scanned.This measures the completeness of an organization’s vulnerability management solution, whether it has awareness of all or some of its systems, and whether it is monitoring them. Number of unique vulnerabilitiesThis measures the amount of variance and risk [1] that exists among systems. Percent of total systems that are subject to a configuration management process This measures the degree to which an organization has control over devices that are placed on its network. For instance, is the organization aware of every new device? Is each device configured with appropriate patch management and security controls? Percent of all detected vulnerabilities that have been validated.This metric measures the percentage of all vulnerabilities that have been validated or prioritized. This metric serves to highlight the difference between organizations that simply gather data and those that act on data. Mean time to remediate a vulnerability.This measures the efficiency of an organization in remediating vulnerabilities. Percentage of actionable vulnerabilities fixed within a predetermined time period. This metric measures the organization’s ability to remediate the vulnerabilities it deems worthy of fixing. “Actionable” refers to the difference between all vulnerabilities and those that need to be fixed. Percentage of OLAs where performance targets have been achieved. This metric measures the effectiveness of the OLAs the organization has set for itself and for other groups. Percentage of the IT Security organization’s time spent on unplanned work. This is a measure of how effective the organization is at implementing quality changes to IT assets, and how little time it spends reacting to failed changes or security incidents. Number of security incidents.This metric measures the number of compromises to the confidentiality, integrity, or availability of an organization’s IT assets. Impact of security incidents.This metric measures, to the best extent possible, total dollar losses due to security incidents. This includes time and costs involved in investigating and correcting the incident and the impact to the business.
Top 10 Questions CAEs Should Ask About Vulnerability Management 1.What percent of total systems are monitored or scanned? 2.How many unique vulnerabilities exist in your enterprise? 3.What percent of systems are managed? 4.What percent of vulnerabilities have you validated? 5. What is the mean time to remediate a vulnerability 6.What percentage of actionable vulnerabilities were remediated in the past quarter? 7.What percent of your OLAs are met? 8.What percent of IT Security work is unplanned? 9.How many security incidents have you experienced during the past quarter? 10.What was the average cost of your last five security incidents?
Vulnerability Resources for the Internal Auditor 1. Common Vulnerability Scoring System (CVSS) 2. IIA Practice Advisory Information Security 3. ISO/IEC The Laws of Vulnerabilities 5. National Vulnerability Database (NVD) 6. SANS Top Vulnerability Scanners
Conclusion Auditors must have an effective vulnerability management program. They must design a process to detect, assess, and mitigate vulnerabilities on a continual basis. These tasks need to be integrated into the overall IT process framework and IT controls over financial accounting.